[Date Prev][Date Next] [Chronological] [Thread] [Top]
RE: TLS / SSL

To: "'Kent Soper'" <dksoper@us.ibm.com>, "'Ron Wahler'" <ron@rovingplanet.com>
Subject: RE: TLS / SSL
From: "Howard Chu" <hyc@highlandsun.com>
Date: Tue, 1 Jul 2003 13:46:21 -0700
Cc: <openldap-software@OpenLDAP.org>, <owner-openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <OFD90168D6.1ECA2D8C-ON87256D56.0063793F-86256D56.0064A216@us.ibm.com>
The trace indicates that the client has aborted the connection.
(That's what "TLS trace: SSL3 alert read:warning:close notify" means - the
server has read an alert sent from the client. The client sent the alert
saying "I'm closing this connection.")

The "Unable to read TLS client DN" message is just a warning. Since the
client didn't send a certificate, there is no DN to read.

There is an error somewhere in your client-side configuration, but without
client debug logs it's difficult to guess what the problem is. If it were a
CA cert problem, the alert would have been "unknown CA" so it's probably not
that.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Kent Soper
> Sent: Tuesday, July 01, 2003 11:20 AM
> To: Ron Wahler
> Cc: openldap-software@OpenLDAP.org;
> owner-openldap-software@OpenLDAP.org
> Subject: RE: TLS / SSL
>
>
>
>
>
>
> You are connecting.  "Unable to read TLS client DN error =
> 49"  is probably
> one of those errors that really isn't an error.  (I never
> claimed to be a
> TLS/SSL expert!)  Maybe it just means that client auth is not being
> utilized.  Kurt or Howard would know more about your error.
>
> Does the server shut down on it's own or do you do it?
>
> Cheers,
> Kent
>
>
>
>
>
>
>
>                       "Ron Wahler"
>
>
>                       <ron@rovingplanet.com>           To:
>    <openldap-software@OpenLDAP.org>
>
>                       Sent by:                         cc:
>
>
>                       owner-openldap-software@O
> Subject:  RE: TLS / SSL
>
>                       penLDAP.org
>
>
>
>
>
>
>
>
>                       07/01/2003 12:36 PM
>
>
>
>
>
>
>
>
>
>
>
>
>
> thanks for the help.
> I modified the files to be this but still don't connect.
>
> Slapd.conf
>
>
> ssl yes
> port 636
> TLSCipherSuite          HIGH:MEDIUM:+SSLv3
> TLSCertificateFile      /opt/LocalCA/server_crt.pem
> TLSCertificateKeyFile   /opt/LocalCA/server_key.pem
> TLSCACertificateFile    /opt/LocalCA/cacert.pem
> #TLSVerifyClient         never
>
>
>
> ldap.conf
>
> ssl yes
> port 636
> ssl             start_tls
> TLS_CACERT  /opt/LocalCA/cacert.pem
> TLS_CERT    /opt/LocalCA/server_crt.pem
> TLS_KEY    /opt/LocalCA/server_key.pem
> #TLS_REQCERT demand
>
> I also tried commenting out TLS_CACERT TLS_CERT and TLS_KEY with the
> same result...
>
>
> Ron.
>
> Ron wrote:
> > I also get this when I allow SSLv3 on the ldap side
> >
> > ldap_pvt_gethostbyname_a: host=fido, r=0
> > put_filter: "(objectclass=*)"
> > put_filter: simple
> > put_simple_filter: "objectclass=*"
> > ber_scanf fmt (m) ber:
> > connection_get(13): got connid=0
> > connection_read(13): checking for input on id=0
> > TLS trace: SSL_accept:before/accept initialization
> > TLS trace: SSL_accept:SSLv3 read client hello A
> > TLS trace: SSL_accept:SSLv3 write server hello A
> > TLS trace: SSL_accept:SSLv3 write certificate A
> > TLS trace: SSL_accept:SSLv3 write server done A
> > TLS trace: SSL_accept:SSLv3 flush data
> > TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > connection_get(13): got connid=0
> > connection_read(13): checking for input on id=0
> > TLS trace: SSL_accept:SSLv3 read client key exchange A
> > TLS trace: SSL_accept:SSLv3 read finished A
> > TLS trace: SSL_accept:SSLv3 write change cipher spec A
> > TLS trace: SSL_accept:SSLv3 write finished A
> > TLS trace: SSL_accept:SSLv3 flush data
> > connection_read(13): unable to get TLS client DN error=49 id=0
> > connection_get(13): got connid=0
> > connection_read(13): checking for input on id=0
> > ber_get_next
> > TLS trace: SSL3 alert read:warning:close notify
> > ber_get_next on fd 13 failed errno=0 (Success)
> > connection_read(13): input error=-2 id=0, closing.
> > connection_closing: readying conn=0 sd=13 for close
> > connection_close: conn=0 sd=13
> > TLS trace: SSL3 alert write:warning:close notify
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Ron Wahler
> > > Sent: Tuesday, July 01, 2003 10:30 AM
> > > To: Lawrence, Mike (White Plains);
> freeradius-users@lists.cistron.nl;
> > > openldap-software@OpenLDAP.org
> > > Subject: RE: TLS / SSL
> > >
> > >
> > >
> > > Getting this but the client can't connect at port 636
> > >
> > > CLIENT
> > > m_ldap: setting TLS mode to 1
> > > rlm_ldap: bind as cn=Manager,dc=fido,dc=com/secret to
> 10.0.0.94:636
> > > rlm_ldap: cn=Manager,dc=fido,dc=com bind to 10.0.0.94:636 failed:
> > Can't
> > > contact LDAP server
> > > rlm_ldap: (re)connection attempt failed
> > >
> > >
> > >
> > > SERVER:
> > >
> > > ldap_pvt_gethostbyname_a: host=fido, r=0
> > > put_filter: "(objectclass=*)"
> > > put_filter: simple
> > > put_simple_filter: "objectclass=*"
> > > ber_scanf fmt (m) ber:
> > > connection_get(13): got connid=0
> > > connection_read(13): checking for input on id=0
> > > TLS trace: SSL_accept:before/accept initialization
> > > TLS trace: SSL_accept:SSLv3 read client hello A
> > > TLS trace: SSL_accept:SSLv3 write server hello A
> > > TLS trace: SSL_accept:SSLv3 write certificate A
> > > TLS trace: SSL_accept:SSLv3 write server done A
> > > TLS trace: SSL_accept:SSLv3 flush data
> > > TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > > TLS trace: SSL_accept:error in SSLv3 read client certificate A
> > > connection_get(13): got connid=0
> > > connection_read(13): checking for input on id=0
> > > TLS trace: SSL_accept:SSLv3 read client key exchange A
> > > TLS trace: SSL_accept:SSLv3 read finished A
> > > TLS trace: SSL_accept:SSLv3 write change cipher spec A
> > > TLS trace: SSL_accept:SSLv3 write finished A
> > > TLS trace: SSL_accept:SSLv3 flush data
> > > connection_read(13): unable to get TLS client DN error=49 id=0
> > > connection_get(13): got connid=0
> > > connection_read(13): checking for input on id=0
> > > ber_get_next
> > > TLS trace: SSL3 alert read:warning:close notify
> > > ber_get_next on fd 13 failed errno=0 (Success)
> > > connection_read(13): input error=-2 id=0, closing.
> > > connection_closing: readying conn=0 sd=13 for close
> > > connection_close: conn=0 sd=13
> > > TLS trace: SSL3 alert write:warning:close notify
> > >
> > >
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Lawrence, Mike (White Plains)
> > > > [mailto:Mike.Lawrence@starwoodhotels.com]
> > > > Sent: Tuesday, July 01, 2003 9:01 AM
> > > > To: Ron Wahler
> > > > Subject: RE: TLS / SSL
> > > >
> > > >
> > > > Hi Ron - I see that error as well and what it means is that
> > > > the server was unable to get a client certificate.  It doesn't
> > > > need one to do ssl/tls, but it will still give the error if
> > > > it doesn't have one, so it's basically a noise error and not
> > > > a big deal unless you do have a client cert and are trying to
> > > > use it.
> > > >
> > > > -----Original Message-----
> > > > From: Ron Wahler [mailto:ron@rovingplanet.com]
> > > > Sent: Monday, June 30, 2003 4:01 PM
> > > > To: openldap-software@OpenLDAP. org
> > > > Subject: TLS / SSL
> > > >
> > > >
> > > >
> > > > I am getting the following error when trying to connect
> > > > From FreeRadius to OpenLDAP on SSL port 636.  Is there
> > > > Something here I can look at in the configuration files?
> > > >
> > > > Ron.
> > > >
> > > >
> > > >
> > > > connection_get(13): got connid=0
> > > > connection_read(13): checking for input on id=0
> > > > TLS trace: SSL_accept:SSLv3 read client key exchange A
> > > > TLS trace: SSL_accept:SSLv3 read finished A
> > > > TLS trace: SSL_accept:SSLv3 write change cipher spec A
> > > > TLS trace: SSL_accept:SSLv3 write finished A
> > > > TLS trace: SSL_accept:SSLv3 flush data
> > > > connection_read(13): unable to get TLS client DN error=49 id=0
> > > > connection_get(13): got connid=0
> > > > connection_read(13): checking for input on id=0
> > > > ber_get_next
> > > > TLS trace: SSL3 alert read:warning:close notify
> > > > ber_get_next on fd 13 failed errno=0 (Success)
> > > > connection_read(13): input error=-2 id=0, closing.
> > > > connection_closing: readying conn=0 sd=13 for close
> > > > connection_close: conn=0 sd=13
> > > > TLS trace: SSL3 alert write:warning:close notify
> > > >
> > > >
> > > > This electronic message transmission contains
> information from the
> > > Company
> > > > that may be proprietary, confidential and/or privileged.
> > > > The information is intended only for the use of the
> individual(s)
> or
> > > > entity named above.  If you are not the intended recipient, be
> > > > aware that any disclosure, copying or distribution or use of the
> > > contents
> > > > of this information is prohibited.  If you have received
> > > > this electronic transmission in error, please notify the sender
> > > > immediately by replying to the address listed in the "From:"
> field.
> > >
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> >
> >
> >
>
>
>
>
>
>
References:
- RE: TLS / SSL
  - From: Kent Soper <dksoper@us.ibm.com>
Prev by Date: back-perl, openldap 2.1.22, perl 5.8.0 and Solaris 8/Sparc
Next by Date: RE: LDAP Filter : works with full value, but not with part_of_value*
Index(es):
- Chronological
- Thread